Sign In Sign-Up

Welcome!

Close

Would you like to make this site your homepage? It's fast and easy...

Yes, Please make this my home page!

No Thanks

  Don't show this to me again.

Close

There are many ways to take off NetBus. The easiest is using the program cleaner. If you want to get back at the hacker there is a program called netbuster. This program lets you send differnet stuff and just keep them from getting anything on your computer or doing anything to it.

Netbus 1.5x removal

Find out the name of the NetBus-server (which is most often SysEdit.exe). Go to the tasklist and kill any suspicous process, If possible. If you can't kill Patch.exe, go to 1.6 removal. After each kill, try connecting to port 12345 (telnet localhost 12345), and the moment you can't do that anymore you have found the NetBus-server. Most often the NetBus-server starts every time your system (Windows) starts. Of course you can just delete the NetBus-server from your HD, but then you will get a irritating Windows-message at startup telling you that the program not could be started. So, before deleting NetBus-server from your HD you either delete the registry-key \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run[Name of NetBus-server] or just run "NetBus_server_name /remove" which will do the same thing. Finally, restart the computer. The NetBus-server also consists of the KeyHook.dll file, which you probably find in the same directory (the DLL isn't able to do anything on its own). If you don't find it, someone has forgetten that it's necessary for some of the features to work properly (for example the Listen-function).

NetBus 1.6 removal

Find out the name of the NetBus-server (which is most often Patch.exe). Run RegEdit.exe and lookup the registry-key
\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. From that key you should be able to sort out the NetBus server program (again, most often Patch.exe) from others.The offending program normally ends with " /nomsg". When you've found the suspicous entry, do a file-search for "[Name of the NetBus-server].exe" on your system. Finally run "[Name of NetBus-server].exe /remove". If you've run the NetBus server you should see that it just starts and ends quickly without any interaction. Wonderful. An easier approach is to use the NetBus-client (NetBus.exe) yourself, connect to localhost, choose "Server admin" and click on the "Remove server" button.

NetBus 1.7 removal

Removal is essentially the same as 1.60, with the exception that the password (if there is one) is no longer written to the registry. All preferences (including password) are written to an .ini file which will have the same name as the program. Here's an example patch.ini:

[Settings]
Port1=12345
ServerPwd=Password
LogTraffic=1
MailTo=Me@my.computer
MailFrom=DaBus@localhost
MailHost=your.mail.server

If IP logging is enabled (as it is in the above example), it will write all commands and IP addresses to IP.TXT. Another file (Read on, it's pretty important) is called "Access.txt". This file contains the list of IP addresses ALLOWED to connect to the Netbus server.

Therefore, the files to delete are: "Patch.exe", "Patch.ini", IP.TXT, as well as removing the startup portion from the registry.

The icon for Patch.exe no longer resembles a torch in windows explorer, now it resembles an Internet Explorer "Channel". Preliminary results show pretty much the same footprint as 1.6, although now the port could be anything the attacker wants it to be.

Network packet captures indicate that the password scheme is padded by one byte (From Ver 1.6) and uses a local file comparison from \%systemroot%\patch.ini. Gibby had the right idea in using a random character generated crack in Netbuster. If you've run the Netbuster crack, you'll notice it could take forever to crack a good password scheme. If you want to protect yourself from this version, create a file using notepad called "Access.txt" with only the IP 127.0.0.0.1 or some other invalid string at the top line, save it to your Windows or WINNT directory (also called "%systemroot%") make the file attribute "read only", and reboot. This will keep Netbus 1.7 users from accessing your computer using Netbus 1.7. And if someone tried to slip Netbus 1.7 on your computer, it won't matter because they can't connect to you.

Fun with Telnet (Version 1.60)

s the password encryption scheme is kind of primitive, Netbus 1.60 is also relatively easy to hack from Telnet by telnetting to port 12345. Once there, you are greeted with a response of "Netbus 1.xx". Any password will be accepted if it is offset with a padded "1". such as: Password;1;Password .You will at that point see "Access". Type in "ServerPwd;Password" and the password will be reset to "Password". The telnet session will seem hung, but the password is now changed. If you simply need information, "GetInfo;1" will suffice.You will have to enable local echo on the telnet client so see what you are typing to accomplish this. PLEASE, NO MORE EMAIL ASKING ME HOW TO DO THIS. As a side note, it's kind of humorous to read the death threats and stuff emailed to me for revealing this ankle-biter "secret".